Magento 2.0.16 and 2.1.9 Security Update

Magento Commerce and Open Source 2.1.9 and 2.0.16 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include support for the changes to the USPS shipping rates that the USPS introduced on September 1, 2017.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.1.9.

Magento does not correctly set concurrent sessions to expire. A customer could log out under the mistaken assumption that their sessions have expired, but later, an attacker could access the account through one of the unexpired sessions.

Product(s) Affected:

Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9

Fixed In:

Magento 2.0.16, Magento 2.1.9

Reporter:

Internal

APPSEC-1802: Customer registration through frontend does not have anti-CSRF protection

Type:

Cross-Site Request Forgery (CSRF)

CVSSv3 Severity:

5.8 (Medium)

Known Attacks:

None

Description:

We've added CSRF protection to the customer registration process to prevent attackers from taking over accounts.

Product(s) Affected:

Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9

Fixed In:

Magento 2.0.16, Magento 2.1.9

Reporter:

Internal

APPSEC-1493: CMS Page Title Stored XSS

Type:

Cross-Site Scripting (XSS, stored)

CVSSv3 Severity:

5.8 (Medium)

Known Attacks:

None

Description:

A Magento administrator can inject executable scripts in non-executable areas, such as the page title.